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1.  Overview  of  First  Time  Authentication  for  Airborne  Networks 


Mobile  airborne  networks  deployed  and  used  by  the  armed  forees  faee  signifieant 
ehallenges  in  balaneing  seeurity  eoneems  with  reliably  servieing  the  needs  of  the  forees 
dependent  on  it.  These  issues  are  eomplieated  by  the  ever-ehanging  eollaborative 
environments  that  these  networks  are  tasked  to  support.  In  this  program,  we  address  one 
of  the  most  signifieant  ehallenges  inherent  in  these  networks:  how  do  you  enable  valid 
new  users  or  hardware  to  seeurely  interaet  with  a  network  at  the  appropriate  aeeess  level, 
where  the  network  and  user  are  both  unknown  to  eaeh  other? 

There  are  several  major  hurdles  to  overeome  when  taekling  this  issue.  First,  shifts  in  the 
makeup  of  allied  forees  over  time  may  mean  that  large  numbers  of  known  users  may  lose 
aeeess  or  new  users  gain  aeeess  privilege  in  short  periods  of  time.  Seeond,  different 
portions  of  different  networks  are  often  operated  by  separate  faetions,  and  users  are 
appropriately  retieent  to  send  eredential  information  through  some  of  these  networks. 

This  is  partieularly  true  in  MANETs  (Mobile  Adhoe  Network)  that  may  be  self¬ 
organizing,  beeause  of  the  risk  that  this  eredential  information  may  beeome 
eompromised,  and  inappropriately  utilized  at  a  future  date  through  replay  or  man-in-the- 
middle  attaeks.  For  example,  eonsider  a  military  operation  seenario  where  a  soldier  with 
time  eritieal  targeting  information  must  quiekly  eonneet  to  an  Adhoe  eoalition  network  to 
impart  neeessary  information,  but  has  never  aeeessed  that  network  before.  The 
information  must  be  quiekly  and  reliably  passed,  while  maintaining  anonymity  and 
seeurity  from  unknown  entities  that  may  be  monitoring  transmissions. 

Essentially,  the  fundamental  issues  from  both  the  user  and  network  perspeetive  boil  down 
to  the  same  thing:  eredential  and  key  management  systems.  Whether  they  are  meant  to 
assure  networks  of  a  user’s  privileges  or  a  user  of  the  network’s  validity,  eurrent 
eredential  and  key  management  systems  are  designed  for  long-term  use  on  the  order  of 
hours  or  days.  In  a  eollaborative  airborne  networking  environment  the  fundamental 
nature  of  the  mission  eneourages  frequent  user  and  hardware  turnover  on  the  order  of 
minutes  or  seeonds. 

In  the  First  Time  Authentieation  for  Airborne  Networks  (FAAN)  program  we  investigate 
the  use  of  the  Zero  Knowledge  Protoeol  (ZKP)  to  authentieate  and  seeure  eommunieation 
in  a  manner  eompatible  with  the  requirements  of  an  Airborne  network. 
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2.  Zero  Knowledge  Protocol  Algorithms 


The  Zero  Knowledge  Protoeol  (ZKP)  is  a  powerful  teehnique  that  replaees  the  portion  of 
a  traditional  eredential-based  key  management  system  where  eredentials  are  exchanged. 
Instead,  in  ZKPs  a  proof  of  the  existence  of  the  credential  is  sent,  allowing  the  receiver  to 
develop  absolute  confidence  that  the  user  has  a  valid  credential,  without  exposing  the 
credential  to  risk  of  compromise.  The  proof  consists  of  a  series  of  challenge-response 
exchanges,  and  even  the  capture  of  all  previous  challenge-response  interchanges  does  not 
allow  the  re-creation  of  the  credential,  in  the  same  way  that  the  capture  of  encrypted 
traffic  does  not  allow  the  cracking  of  an  encryption  key.  In  addition,  the  mathematics  of 
the  protocol  guarantees  that  no  information  other  than  the  existence  of  a  valid  certificate 
is  contained  in  the  response.  Thus,  unlike  with  a  standard  scheme  where  repeat  users  can 
be  identified  or  tracked  using  their  unique  certificate,  such  information  can  only  be 
gleaned  from  the  exchange  if  explicitly  included  by  the  user.  This  property  can  be 
valuable  for  certain  personnel  for  which  identity,  time,  location,  and  content  of 
transmittals  are  extremely  sensitive  and  leakage  of  such  information  could  pose  serious 
risk  to  themselves  and  their  mission. 

In  an  open  environment,  the  exchanges  of  authentication  protocols  are  susceptible  to 
eavesdropping;  it  is  important  to  formalize  notions  of  security  to  gauge  the  strength  of 
these  protocols.  ZKP  is  no  exception.  Methods  such  as  Direct  Anonymous  Attestation 
[34,  35]  provide  properties  such  as  anonymity,  secrecy,  strong  secrecy,  and  authenticity 
that  are  desirable  for  any  protocols  to  be  secure;  these  properties  are  embedded  in  ZKP 
by  design. 

Anonymity  and  secrecy  go  hand  in  hand  in  ZKP;  briefly,  anonymity  is  when  the  server 
cannot  tell  who  it  is  authenticating,  and  secrecy  is  when  the  user  does  not  reveal  his 
secret  credential  to  the  server.  All  users,  including  the  adversary,  may  start  the  protocol 
with  the  server;  anonymity  is  guaranteed  because  an  adversary  cannot  tell  from  the 
protocol  outputs  which  users  are  authenticated  by  the  server.  Also,  an  authenticated  user 
never  reveals  his  secret  (therefore  his  identity)  during  ZKP  exchanges,  the  server  is  able 
to  establish  the  legitimacy  of  the  user,  but  cannot  tell  the  legitimate  users  apart. 
Furthermore,  since  the  outputs  from  the  user  contain  only  the  derived  information  of  his 
secret  key,  his  secrecy  remains  hidden. 

Strong  secrecy  is  when  the  adversary  cannot  tell  when  the  value  of  the  secret  changes. 
Since  the  user  never  reveals  his  secret  in  any  of  its  exchanges  with  the  server,  the 
adversary  cannot  tell  from  the  outputs  alone  that  the  user  has  changed  his  secret. 
Authenticity  is  when  the  server  is  able  to  verily  with  some  certainty  that  the  user  has  the 
appropriate  credentials;  as  we  will  illustrate  in  the  following  sections,  when  a  user  passes 
all  the  server’s  challenges,  the  probability  that  the  user  is  an  imposter  becomes 
exponentially  small,  therefore  authenticity  is  maintained  in  the  ZKP. 
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2.1  ZKP  Overview 


In  most  authentication  schemes,  the  identities  of  the  users  who  wish  to  gain  access  to 
resources  are  associated  with  a  secret  identification,  such  as  a  password  or  certificate, 
known  only  by  the  users  and  the  authority.  The  traditional  approach  is  for  the  user  to 
reveal  their  secret  to  the  authority  to  prove  their  identity.  There  are  several  problems 
with  this  approach.  First,  the  authority  may  not  be  who  he  claims  to  be,  that  is,  a 
malicious  third  party  could  pose  as  the  authority.  In  this  case  by  revealing  his  secret 
password  to  the  imposter  the  user  compromises  the  system  of  trust,  and  the  system  can  no 
longer  guarantee  that  those  who  are  able  to  gain  access  are  legitimate  users.  Furthermore, 
even  if  the  authority  is  trustworthy,  revealing  a  password  is  susceptible  to  eavesdropping, 
compromising  the  system. 

The  use  of  zero-knowledge  protocols,  on  the  other  hand,  effectively  removes  these 
problems.  It  is  usually  assumed  that  in  any  zero-knowledge  protocol  the  users  have  in 
their  possession  secrets  that  are  known  only  to  themselves.  Furthermore,  the  secrets  will 
generally  be  very  hard  to  deduce  via  computation  and  therefore  will  not  be  susceptible  to 
guessing  by  a  malicious  third  party.  Also,  zero-knowledge  protocols  are  designed  such 
that  no  information  is  leaked  about  the  secrets  that  the  users  possess  during  the 
authentication  process,  so  that  a  malicious  user  would  gain  nothing  out  of  eavesdropping. 

A  subtlety  exists  when  a  zero-knowledge  protocol  is  being  implemented.  In  particular, 
one  must  make  a  distinction  between  a  scheme  that  maintains  identification  and 
anonymity.  An  identification  scheme  associates  each  user  with  a  secret  key,  which  is 
kept  private;  the  server  keeps  the  corresponding  public  keys,  which  are  used  upon 
authentication  requests  to  validate  the  legitimacy  of  the  users.  However,  the  identity  of 
the  user  is  revealed  once  the  authentication  succeeds.  Since  the  user  must  include  his 
public  key  in  his  correspondence  with  the  server,  if  the  public/private  keys  are  distinct 
then  the  user’s  activities  can  be  followed  by  a  malicious  entity.  A  scheme  that  guarantees 
anonymity,  on  the  other  hand,  reveals  nothing  about  the  user,  even  after  successful 
authentication.  A  scheme  with  weak  anonymity  is  one  that  assigns  users  with  the  same 
identification  and  secret  information,  so  that  all  valid  users  look  alike  to  any  observer  of 
the  system.  A  scheme  with  strong  anonymity  assigns  every  user  a  unique  identifier,  yet 
the  users  remain  indistinguishable  to  eavesdroppers  and  other  users  in  the  system.  The 
generic  ZKP  only  provides  weak  anonymity.  We  will  discuss  in  section  4  methods  that 
can  be  used  to  overcome  this,  as  it  inherently  prevents  the  simultaneous  support  of 
anonymity  and  privilege  revocation. 
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The  general  flow  of  zero  knowledge  protoeols  is  described  below.  The  user  who  wishes 
to  prove  his  identity  to  the  authority  is  known  as  the  prover,  and  the  authority  is  known  as 
the  verifier.  The  prover  generally  has  a  secret  that  is  generated  by  combining  a  unique 
piece  of  information  originally  assigned  when  access  is  first  granted,  with  a  public  piece 
of  information  that  may  be  periodically  published.  At  the  beginning  of  each  zero 
knowledge  proof  round,  the  prover  publishes  his  public  keys.  The  typical  pattern  of 
exchanges  between  the  prover  and  the  verifier,  repeated  over  several  rounds,  is: 

1)  The  prover  (P)  sends  the  verifier  a  value  that  is  computed  based  on  his  private 
key. 

2)  The  verifier  flips  a  coin,  and  asks  the  prover  to  answer  one  of  two  questions  based 
on  the  result  of  the  coin  flip.  Generally  the  questions  are  either  to  answer  a 
question  about  the  value  that  was  sent  in  step  1 ,  or  to  answer  a  question  about  the 
secret  key. 

3)  The  prover  sends  the  verifier  the  answer  to  his  question. 

4)  The  verifier  checks  that  the  answer  is  correct. 

Prover  Verifier 


Public  keys 


ZKP  Rounds 


r  ^ 

Protocol  Initiation 

Z  N 

Challenge 

Response 

V  J 

Verification 

-► 

^  J 

Figure  1:  Typical  ZKP  Exchanges 


Note  that  in  the  scenario  the  prover’ s  private  key  is  never  revealed.  The  verifier  gains 
more  confidence  in  the  user’s  authenticity  as  the  number  of  rounds  increase.  In 
particular,  suppose  that  a  malicious  prover  M  tries  to  masquerade  as  a  legitimate  user 
without  knowing  that  user’s  private  key. 
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Since  the  verifier  V  has  no  knowledge  of  the  challenge  question  he’s  going  to  send  until 
the  coin  flip  in  step  2,  then  sinee  M  doesn’t  have  the  prover’s  secret  key  M  only  has  a 
50%  chance  of  getting  the  answer  eorreet  in  step  3  assuming  that  the  seeret  is  suffieiently 
diffieult  to  guess.  This  is  a  good  assumption  in  the  initial  challenge-response  exehange, 
but  if  the  malicious  prover  M  has  been  eavesdropping  on  a  number  of  interehanges 
between  legitimate  users,  that  assumption  may  beeome  invalid.  A  good  ZKP  protoeol 
minimizes  the  risk  of  this  by  making  intelligent  secret  guessing  extremely  diffieult  even 
if  the  malieious  users  colleets  signifieant  data  on  valid  exehanges  in  the  same  way 
encryption  makes  key  guessing  extremely  difficult  despite  numerous  exchange  captures. 

Assuming  the  malieious  prover  is  unable  to  make  an  intelligent  guess  regarding  a  valid 
user’s  seeret,  over  a  k-round  exehange  between  the  prover  and  the  verifier,  the  probability 
that  M  suoeessfully  eheats  on  all  k  rounds  is  (14)^.  For  even  a  moderate  value  of  k  the 
probability  to  cheat  suceessfully  is  exeeptionally  small. 

Although  all  zero-knowledge  protoeols  share  the  eharaeteristics  outlined  above,  eaeh 
protoeol  ean  be  eategorized  aeeording  to  the  problems  that  are  considered 
eomputationally  hard  to  solve.  Each  category  of  protoeols  eomes  with  different  intrinsic 
properties.  In  particular,  we  are  interested  in  the  sealability  in  terms  of  bandwidth 
utilization,  number  of  exehanges,  and  caleulation  requirements  for  these  protocols  while 
maintaining  strong  security  properties  in  an  airborne  networking  environment. 


2,2  General  survey  of  ZKP  Algorithms 

The  Zero  Knowledge  Protocol  uses  a  computationally  hard  problem  as  the  basis  of  its 
seeurity  so  that  without  the  user’s  seeret  it  beeomes  difficult  for  an  adversary  to  calculate 
a  probable  answer  to  any  given  question  posed  by  the  server  during  the  challenge- 
response  exehange,  even  if  the  adversary  has  been  eavesdropping  on  all  previous 
exehanges.  In  the  past  20  years  many  different  hard  problems  have  been  utilized.  One 
eommon  eategory  of  problems  used  are  NP-Complete  problems,  sinee  their 
computational  time  complexity  is  known  to  be  extreme  enough  to  foil  any  adversary  for 
some  subset  of  the  possible  questions  (the  worst  case  seenarios  that  define  the  time 
complexity).  The  eonclusion  that  any  NP  problem  ean  be  the  basis  for  a  zero-knowledge 
proof  is  established  in  [2].  The  Graph  Three-Colorability  problem  is  one  sueh  NP- 
Complete  problem  that  has  been  explored  for  use  in  zero-knowledge  proofs  [1]. 
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There  are  also  non-NP  problems  that  may  be  hard  enough  for  the  average  ease  to  be 
eonsidered  for  use  in  ZKP.  In  some  eases,  they  may  even  be  superior.  The  key  issue  is 
that  while  NP  is  a  deseription  of  the  difficulty  of  answering  the  hardest  question,  it  is  not 
a  description  of  the  difficulty  of  answering  the  average  question.  For  many  NP  problems 
there  exists  heuristics  to  help  generate  answers  in  polynomial  time  for  a  large  subset  of 
the  possible  questions.  The  utilization  of  such  NP  problems  is  not  out  of  the  question,  but 
to  do  so  a  mechanism  must  be  designed  to  generate  a  subset  of  the  NP  problem  for  which 
the  average  case  has  a  high  time  complexity  due  to  the  ineffectiveness  of  heuristic 
solutions.  Such  mechanisms  are  not  always  easy,  and  in  some  cases  problems  that  have 
not  proven  to  be  in  either  NP  or  P  may  have  better  average  case  problem  characteristics 
making  them  more  appropriate  for  use  in  a  zero-knowledge  protocol. 

In  [3]  it  is  noted  that  when  the  zero  knowledge  requirement  is  relaxed  to  Statistical  Zero 
Knowledge  (instead  of  Perfect  Zero  Knowledge),  a  whole  class  of  problems  not  in  NP 
can  be  used  to  construct  ZKP.  These  include  Graph  Non  Isomorphism,  and  Permutation 
Group  Non  Isomorphism.  Other  problems  include  Quadratic  Residuosity,  Discrete 
Logarithm,  as  well  as  the  Shortest  Vector  and  Closest  Vector  problems  in  lattices. 

Lattice-based  Zero-Knowledge  Proofs  have  been  a  popular  research  topic  in  the  last 
decade.  Two  example  problems  that  are  lattice  based  are  the  Shortest  Vector  Problem 
(SVP)  and  Closest  Vector  Problem  (CVP).  Lattice  problems  rely  on  the  hardness  of 
finding  approximate  solutions  to  the  given  problem.  Goldreich  et.  al.  [4]  presented  some 
results  for  lattice-based  ZKP  and  concluded  that  approximating  SVP  and  CVP  to  within 
■yfn  (where  n  is  the  dimension  of  the  lattice)  is  unlikely  to  be  NP-hard.  Micciancio  [5] 
showed  that  SVP  is  NP-hard  to  approximate  within  any  constant  less  than  ^|2  . 

ZKP  can  be  extended  to  concurrent  executions  of  the  protocol  with  a  single  prover  and 
multiple  verifiers;  this  concept  is  studied  in  [6].  Micciancio  et.  al.  [7]  showed  some 
results  on  concurrent  ZKP.  An  application  of  concurrent  ZKP  can  be  found  in  how  a  web 
server  communicates  with  its  clients.  In  this  example,  the  web  server  is  the  prover,  and 
the  clients  are  the  verifiers.  Concurrent  ZKP  is  designed  to  thwart  the  adversary  who 
may  control  several  clients  and  start  sessions  with  the  server  in  an  attempt  to  extract 
information  from  the  server. 

There  are  also  several  secure  identification  schemes  that  make  use  of  the  zero  knowledge 
protocol.  The  first  was  the  Fiat-Shamir  [20]  scheme  based  on  the  problem  of  modular 
square  roots  extraction.  Extensions  of  this  scheme  have  been  proposed,  as  well  as  some 
based  on  factorization  and  on  the  discrete  log  problem.  These  schemes  have  a  high 
computational  load  due  to  arithmetic  operations  modulo  large  primes. 
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There  are  a  number  of  sehemes  that  have  been  proposed  to  facilitate  secure  identification 
on  smart  cards.  In  1989  Shamir  proposed  a  scheme  based  on  the  NP-Complete  Permuted 
Kernels  Problem  (PKP)  [10].  In  1992  Baritaud  et.al.  [16]  proposed  a  time -memory  trade¬ 
off  algorithm  which  lead  to  a  reduction  in  the  computation  time  needed  to  solve  PKP.  In 
2001  a  new  attack  on  PKP  was  found  [17]  based  on  an  algorithm  designed  to  count  points 
on  elliptic  curves.  This  algorithm  was  still  exponential,  but  would  theoretically  solve  the 
PKP  for  the  original  size  proposed  by  Shamir  on  a  single  PC  in  125  years. 

Other  schemes  suitable  for  use  on  smart  cards  have  been  developed  [9,1 1,12,13,14].  In 
1989  Stern  [14]  proposed  a  scheme  that  relied  on  the  intractability  of  some  coding 
problems,  which  he  later  claimed  was  not  practical.  In  1993  Stem  proposed  another 
scheme  based  on  the  NP-Complete  problem  of  Syndrome  Decoding  [11]  (SD),  i.e.,  on  the 
hardness  of  decoding  a  word  of  a  given  syndrome  w.r.t.  some  binary  linear  error 
correcting  code.  In  1994  Stern  proposed  a  scheme  based  on  the  NP-Complete  problem  of 
Constrained  Linear  Equations  (CLE)  [12].  In  1994  Pointcheval  proposed  a  scheme  based 
on  the  NP-Complete  Perceptron  Problem  (PP)  [13,  19].  In  1997  Poupard  [15]  analyzed 
PKP  and  CEE  to  determine  the  theoretical  limit  to  the  efficiency  of  the  known  attacks,  to 
determine  the  practical  results  they  permit,  and  to  get  precise  evaluation  of  which 
parameters  should  be  chosen  for  a  secure  use  of  these  protocols.  In  1999  Knudsen  and 
Meier  [18]  found  an  attack  on  PP  (and  subsequently  PPP).  In  2003  Pointcheval  and 
Poupard  developed  a  scheme  based  on  the  NP-Complete  Permuted  Perceptrons  Problem 
(PPP)  [8],  addressing  the  attacks  found  to  date.  PPP  was  implemented  for  smart  cards 
and  was  able  to  achieve  the  minimal  requirements  of  2  KB  of  EEPROM,  100  Bytes  of 
RAM,  and  6.4  KB  of  communication. 


2,3  Specific  ZKP  Algorithms 

Below  we  discuss  specific  details  of  a  few  of  the  best  known  ZKP  protocols.  The  Graph 
Isomorphism  protocol  was  chosen  at  the  request  of  AERL  to  complement  work  being 
simultaneously  pursued  by  Professor  Namaduri  and  his  students  at  the  University  of 
North  Texas.  We  chose  to  complement  this  with  a  study  of  the  discrete  log  and  factoring 
protocols  as  they  are  the  most  highly  studied  and  most  rigorously  reviewed  problems  in 
the  community  and  form  the  basis  of  many  cryptographic  protocols,  though  the  factoring 
algorithm  presented  here  is  an  identification  scheme  which  only  offers  weak  anonymity  if 
the  public/private  information  is  shared  among  users. 
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2,3.1  Graph  Isomorphism  Overview 


It  is  generally  assumed  that  eomputing  the  graph  isomorphism  between  two  graphs  is  a 
diffieult  problem  [33].  However,  nothing  is  known  about  the  graph  isomorphism  (GI) 
elass,  i.e.  it  is  unknown  if  GI  resides  in  P  or  NP.  Furthermore,  there  are  many  instances 
of  graphs,  such  as  planar  graphs  and  trees,  where  it  is  known  that  the  graph  isomorphism 
problem  can  be  solved  efficiently  in  polynomial  time  [28].  These  cases  are  common 
enough  that  the  general  form  of  the  graph  isomorphism  problem  is  inappropriate  as  the 
basis  for  a  zero-knowledge  algorithm,  since  the  average  case  analysis  is  poor.  Thus,  the 
question  arises,  is  there  a  subset  of  questions  which  we  can  identify  and  generate  that  are 
sufficiently  difficult? 

One  subset  problem  we  explored  is  the  graph  isomorphic  problem  applied  to  regular 
graphs.  It  is  not  known  if  there  exists  an  efficient  isomorphism  algorithm.  In  fact,  it  has 
been  conjectured  that  many  classes  of  graphs  are  easy  to  solve  using  heuristic  based 
graph  isomorphism  analysis  methods.  One  class  of  problems  that  are  considered  difficult 
to  solve  using  heuristic  methods  are  regular  graphs.  In  fact,  it  has  been  hypothesized  that 
regular  graphs  are  the  reason  the  graph  isomorphism  problem  is  not  in  P  [31]. 

Under  the  assumption  that  graph  isomorphism  on  regular  graphs  is  a  hard  problem,  then 
given  two  n-node  graphs  G  and  F,  the  prover(P)  claims  to  know  the  mapping  cr  between 
G  and  F.  V  is  the  verifier. 

The  protocol; 

1)  P  ->  V:  P  generates  an  isomorphism  F’  of  F  using  the  mapping  r  and  sends  F’  to 
V; 

2)  V  ->  P:  V  sends  a  random  bit  b; 

3)  P  ->  V:  if  h  is  0,  P  sends  V  r;  otherwise,  P  sends  V  cr  r; 

4)  V  verifies  that  either  r  maps  F  to  F’,  or  cr  r  maps  G  to  F’. 

5) 

2,3,2  Factoring  Overview 

Factoring  is  a  problem  that  has  been  vigorously  pursued  in  mathematics  for  hundreds  of 
years,  and  while  no  proof  exists  experts  agree  it  is  extremely  unlikely  to  be  solved  in 
polynomial  time.  Thus,  while  there  is  no  proof  that  it  is  in  NP,  it  is  often  treated  as  such. 
In  general,  one  can  assume  that  having  primes  p  and  q  large  enough,  then  it  is  not 
possible  to  factor  n=pq  efficiently  without  prior  knowledge  of  p  and  ^  [37].  The  prover 
P  chooses  x<n  as  its  private  key,  and  publishes  n  along  with  its  public  key  a 
where  a  =  x^(modn) .  Note  that  in  this  case  anonymity  is  not  preserved.  In  order  to 
preserve  anonymity  all  users  must  have  the  same  public  key. 
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The  protocol: 

1)  P  ->  V:  P  chooses  r  at  random,  and  sends  j  s  r^(modn)  to  V; 

2)  V  ->  P:  V  sends  a  random  bit  b. 

3)  P  ->  V:  if  is  0,  then  P  sends  N  z  =  r\  otherwise,  P  sends  V  z  s  xr(modn); 

4)  V  verifies  that  ja*  =  O(modn). 

The  Guillou-Quisquater  Identification  Scheme  [42]  is  an  algorithm  that  utilizes  the 
hardness  of  factoring  to  ensure  security  of  the  protocol. 


2,3.3  Discrete  Log  Overview 

The  discrete  logarithm  problem  [21]  is  simple  to  state:  suppose  that  =  /3(modN),  and 
that  one  wishes  to  compute  the  solution  x,  given  a,  (3,  and  As  with  factoring,  it  has 
not  been  formally  proven  to  be  in  either  P  or  NP,  but  the  consensus  among 
mathematicians  is  that  it  is  extremely  likely  to  be  NP.  In  general,  with  cryptographic 
protocols,  and  in  particular  with  zero-knowledge  proofs,  the  difficulty  of  the  problem  is 
used  to  form  the  basis  of  the  security  assumption,  i.e.,  if  one  does  not  possess  a  solution, 
it  is  highly  unlikely  that  one  can  make  an  intelligent  guess  by  computing  values 
associated  with  the  solution  in  a  dynamic  fashion. 

In  the  protocol,  the  prover  P  has  to  show  his  knowledge  of  the  discrete  logarithm  of 
a""  =  /3{modN)  without  revealing  his  solution.  The  values  a,  (5,  and  A  are  published, 
and  let  Abe  a  prime  and  be  the  integers  less  than  A. 

The  protocol: 

1)  P  ->  V:  P  selects  r  from  Z*,  and  sends  ys  «'^(modA0  to  V; 

2)  V  ->  P:  V  sends  a  random  bit  A; 

3)  P  ->  V:  P  sends  y  =  r  +  bx{raod  (piN))  to  V; 

4)  V  checks  that  =  y5*(modA0 . 

The  Schnorr  Identification  Scheme  [42]  is  a  well-known  application  of  the  discrete  log 
protocol.  Distributed  Infinity  has  done  work  in  the  past  on  a  more  sophisticated 
application  [39,  40,  41]  of  the  discrete  log  protocol  which  facilitates  strong  anonymity 
through  the  addition  of  secret  unique  keys.  These  unique  keys  only  affect  updating  and 
revocation.  The  general  communication  procedure  is  exactly  as  described  here.  In  order 
to  gather  the  results  shown  in  section  3.2.2,  it  should  be  noted  that  our  implementation  of 
the  Discrete  log  ZKP  had  strong  anonymity  support  removed.  This  was  to  facilitate  a 
head-to-head  comparison  of  the  three  methods  tested. 
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2,4  Direct  Anonymous  Attestation 

The  Direct  Anonymous  Attestation  (DAA)  protocol  was  proposed  by  the  Trusted 
Computing  Group  (TCG)  for  use  in  their  Trusted  Platform  Module  (TPM)  specification. 

The  DAA  uses  a  discrete  logarithm  based  ZKP  as  follows  [34,  35]:  A  TPM  chooses 
secret  message  f,  and  obtains  a  signature  on  it  from  the  issuer  via  a  secure  two-party 
protocol,  and  then  the  TPM  can  convince  a  verifier  that  it  got  an  attestation  anonymously 
by  showing  a  proof  of  knowledge  of  an  attestation.  This  is  done  by  computing  N  =  g  , 
where  g  is  the  generator  of  an  algebraic  group.  The  group  is  generally  chosen  such  that 
computing  the  discrete  logarithm  is  infeasible. 

The  TCG  proposed  use  of  the  DAA  requires  the  TPM  to  interact  with  a  Privacy 
Certification  Authority  (Privacy  CA)  during  every  transaction.  This  bottleneck  may 
prove  to  be  too  costly  in  the  long  run. 
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3.  Algorithmic  Requirements  and  Results 


The  theoretical  requirements  for  a  functional  Zero  Knowledge  Protocol  are  detailed 
below  as  well  as  results  obtained  from  our  implementations  of  a  factoring  based  ZKP  and 
a  discrete  log  based  ZKP.  In  some  cases  the  results  are  presented  in  term  of 
mathematical  analysis  of  the  properties  of  the  algorithm,  such  as  for  Graph  Isomorphism. 
In  other  cases,  such  as  with  factoring  and  discrete  log  ZKPs  we  present  performance 
metrics  gathered  by  implementing  specific  ZKP  algorithms. 

3.1  Graph  Isomorphism  Requirements  and  Results 


3.1.1  Requirements 


3. 1.1.1  Key  Generation  Requirements 

Before  the  ZKP  rounds  begin,  a  candidate  graph  G  is  selected,  on  which  the  entire 
protocol  relies.  Assuming  that  G  is  chosen  at  random  from  the  entire  space  of  graphs, 
and  that  edges  of  a  graph  can  be  encoded  using  0(c)  bits,  then  the  O(n^)  bits  of  G  and  F 
are  made  public.  The  private  key  cr  takes  0(  n  )  to  compute,  and  using  cr,  F  takes  O(n^) 
to  generate. 

However,  it  is  naive  to  assume  that  any  random  graph  G  is  as  secure  as  others.  In 
particular,  there  are  algorithms,  such  as  Nauty[28],  which  can  solve  many  graph 
isomorphism  problems  very  efficiently;  therefore  it  is  vital  to  choose  a  graph  G  for  which 
the  isomorphism  problem  is  hard  to  solve  in  polynomial  time. 

There  is  experimental  evidence  that  regular  graphs  are  harder  to  solve  for  the  current  state 
of  the  art  algorithms  [24].  Briefly,  a  regular  graph  of  r-regularity  is  an  undirected  graph 
in  which  every  node  is  adjacent  to  r  nodes.  The  selection  of  G  (and  therefore,  A)  from  an 
r-regular  graph  space  as  public  keys  would  use  0{  rn  )  bits  as  communications  overhead. 

Furthermore,  the  choice  of  cr  is  also  vital  to  the  security  of  the  protocol.  Given  a  graph 
G,  the  graphs  induced  by  Aut{G),  or  the  automorphism  group  of  G,  have  the  same 
adjacency  matrix  structure  as  G.  In  particular,  when  cr  e  Aut{G) ,  then  the  adjacency 
matrix  of  F  looks  exactly  the  same  as  G,  rendering  the  protocol  extremely  easy  to  cheat. 
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Thus  the  choice  of  a  must  be  outside  of  Aut{G).  Let  So  =  \Aut{G)\  denote  the  size  of 
Aut{G).  The  probability  of  choosing  a  non-automorphic  a  is  exactly  1  -  (Soln!),  and 
therefore,  the  expected  number  of  picks  until  a  non-automorphism  is  chosen  is  exactly 
n!/(  n!  -(So)).  Clearly  the  expected  number  of  selections  for  cr  depends  on  So; 
however  the  exact  size  of  Aut{G)  for  regular  graphs  is  a  poorly  understood  area  [30]. 
Therefore  we  shall  denote  the  computational  overhead  for  selecting  cr  by  0{  1/Sg  ),  since 
the  time  it  takes  to  find  a  good  cr  is  clearly  inversely  proportional  to  Sg- 

3. 1,1,2  Protocol  Initiation  Requirements 

The  same  issues  exist  here  as  in  the  key  generation.  Since  F  is  an  r-regular  graph,  then 
F’  must  also  be  an  r-regular  graph.  Thus  the  communication  overhead  to  send  the 
verifier  the  edges  of  F’  takes  0{rn)  bits,  and  the  computation  overhead  for  selecting  r 
takes  0(1 /Sf)  where  Sf  =  \AMt{F)\. 


3, 1,1,3  Answer  Generation  Requirements 

Regardless  of  the  question  asked  by  the  verifier,  the  prover  sends  one  permutation  to  the 
verifier,  which  takes  0{n)  bits  of  overhead.  If  the  verifier  asks  to  see  the  mapping 
between  G  and  F’,  then  the  prover  has  to  compute  cr  r,  which  takes  0{n)  time. 


3, 1,1,4  Verification  Requirements 

The  verifier  takes  the  permutation  sent  by  the  prover  and  applies  it  to  either  G  or  F, 
which  takes  0{n^)  time  to  reshuffle  the  adjacency  matrices. 


3, 1,1,5  Overall  Performance  Requirements 

When  regular  graphs  are  used  for  the  protocol,  the  total  communications  overhead  is 
0{rn)  bits,  and  the  computation  overhead  is  0{n^)+0{\/SG)+0{l/SF).  Clearly,  the 
scalability  of  the  graph  isomorphism  protocol  relies  on  r,  Sg,  and  Sf. 
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3.1.2  Theoretical  Results 


According  to  the  GI  protocol,  the  mapping  cr  stays  fixed  but  a  new  mapping  ris 
generated  at  every  iteration.  It  is  meaningless  to  diseuss  the  seeurity  of  the  protoeol  when 
cr  e  Aut(G),  sinee  the  prover’s  seeret  is  out  in  the  open  when  that  is  the  ease.  Therefore 
in  the  ensuing  diseussion  we  shall  assume  that  cr  ^  Aut(G).  In  the  following  analysis,  we 
assume  an  honest  prover  P,  an  honest  verifier  V,  and  an  eavesdropper  E  who  listens  to  the 
exehanges  in  the  protoeol. 

/-round  analysis: 

At  step  1  of  the  protoeol,  the  prover  ehooses  rat  random  to  generate  F’.  The  probability 
that  r  e  Aut(F)  is  Sp/n!,  and  we  denote  the  probability  by  Pr[r  e  Aut(F)  ].  At  step  2  &  3 
of  the  protoeol,  the  prover  sends  either  the  mapping  ror  cr  rto  the  verifier,  depending  on 
the  verifier’s  coin  flip,  which  is  random  and  independent  of  all  other  events  in  the 
protoeol.  Therefore,  an  eavesdropper  is  sueeessful  at  uneovering  cronly  when  r  e  Aut(F) 
and  the  eoin  flip  is  1;  in  the  language  of  probability  and  events,  the  Eavesdropper  is 
sueeessful  when  the  eonjunetion  of  two  events  oeeurs,  i.e.,  when  r  e  Aut(F)  and 
CoinEhp=l.  The  two  events  are  independent  beeause  eoin  tosses  are  independent  of 
everything  else  in  the  protoeol,  therefore  the  probability  of  this  eonjunetion  is  given  by 

Pr[  CoinElip=l  n  r  e  Aut(F)  ]  =  Pr[  CoinElip=l  ]  •  Pr[r  e  Aut(F)  ]  =  (l/2)(  Sp/nl  ). 

This  analysis  assumes  that  the  eavesdropper  ean  gain  no  advantage  in  guessing  based  on 
an  analysis  of  previous  exehanges.  There  is  eurrently  no  theoretieal  basis  for  this 
assumption,  whieh  puts  the  validity  of  using  GI  based  zero  knowledge  protoeols  into 
question. 

A'-round  Analysis: 

We  wish  to  find  the  probability  that  the  eavesdropper  sueeessfully  uneovers  crat  the  Ath 
round.  Clearly,  that  means  the  eavesdropper  has  failed  at  the  first  k-1  rounds,  so 

Pr[  eavesdropper  uneovers  crat  exactly  the  Ath  round  ] 

k-l 

=  (11  Pr[  eavesdropper  fails  at  round  /  ] )  •  Pr[  eavesdropper  sueeessful  at  round  k  ]. 

1=1 

=  (  1  -  (l/2)(  Sp/n!  )  t’  •  (l/2)(  Sp/n!  ). 
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Distribution  of  Eavesdropper’s  successes: 

Taking  the  results  from  the  A:-round  analysis,  we  ean  then  ealeulate  the  probability  that 
the  Eavesdropper  has  to  try  more  than  A:-rounds  before  he  suceeeds: 


Pr[  eavesdropper  uncovers  cr  after  the  Ath  round  ] 

k 

=  1  -  ^  Pr[  eavesdropper  uncovers  cr  at  exactly  the  zth  round  ], 

/=i 

k 

however,  the  quantity  Pr[  eavesdropper  uncovers  crat  exactly  the  zth  round  ]  )  is 

1=1 

clearly  a  geometric  series,  therefore  a  finite  sum  exists.  After  applying  the  geometric 
sum  and  some  simple  algebraic  manipulations,  we  arrive  at 

Pr[  eavesdropper  uncovers  cr  after  the  kth  round  ]  =  1  -  (  1  -  (l/2)(  Sp/n!  )  /. 


Figure  2:  Probability  Distribution  for  uncovering  secret  permutation  after  k  rounds. 

It  is  clear  from  this  graph  that  the  smaller  the  value  of  Sp  =  \Aut(F)\,  the  longer  it  takes 
for  an  eavesdropper  to  uncover  the  secret  permutation  cr.  Therefore  it  can  be  argued  that 
smaller  values  of  Sp  leads  to  a  more  secure  GI  protocol. 
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3,1.3  Application  of  the  Protocol  based  on  regular  graphs. 


The  analysis  regarding  the  complexity  of  generating  graphs  from  the  previous  sections 
assumes  that  generating  an  appropriate  graph  is  as  easy  as  selecting  a  random  graph  from 
the  space  of  all  graphs.  As  is  seen  from  the  analysis,  graphs  whose  automorphism  groups 
are  smaller  tend  to  have  better  security  in  the  protocol.  Random  regular  graphs  are  not 
trivial  to  generate,  however,  and  have  been  the  subject  of  interest  in  the  community  [25, 
27].  In  addition,  regular  graphs  seem  to  be  one  of  the  more  difficult  instances  of  graphs 
for  graph  isomorphism  [31].  In  this  section,  we  examine  the  security  of  regular  graphs 
using  the  technique  we  developed  in  the  previous  sections. 

Definition;  a  graph  G  is  regular  if  all  vertices  v  in  G  have  the  same  number  of  edges.  G 
is  r-regular  if  all  vertices  v  in  G  have  exactly  r  edges. 

Bollobas  [30]  gave  a  bound  on  the  size  of  automorphism  groups  for  a  regular  graph  G. 
Specifically,  let  6*  be  any  permutation  on  the  vertices  of  an  n-node  r-regular  graph  G;  then 
the  probability  that  G  is  invariant  under  0  is  bounded  by 


Pr(6*  e  Aut(G)  )  <  (1) 

where  5  is  the  number  of  vertices  moved  by  6,  t  is  the  number  of  2-cycles  in  6,  and  u  is 
the  number  of  3 -cycles  in  6.  Thus,  by  trivial  extension,  the  size  of  the  automorphism 
group  Aut(G)  is  bounded  by 

\Aut(G)  \  <  {n!)  ■  ).  (2) 

This  bound  may  look  formidable,  but  we  can  still  draw  some  preliminary  conclusions 
from  it.  Specifically,  as  the  regularity  of  G  grows,  the  bound  suggests  that  the  size  of  the 
automorphism  group  of  G  grows  as  well. 

Krasikov  et  al.  [29]  considered  connected  regular  graphs,  and  gave  a  bound  that  shows 
the  structure  of  automorphism  groups  of  G  with  respect  to  regularity: 

\Aut(G)\  <n{r\){r-\f-'-\  (3) 

where  r  is  the  regularity  of  G.  When  n-r  «  0,  \Aut{G)\  is  bounded  approximately  by  n!, 
and  when  r  is  small,  then  \Aut{G)\  is  still  bounded  by  n(r!)(r-l in  other  words,  when 
the  regularity  of  G  is  close  to  the  number  of  nodes  of  G,  there  exist  very  few  distinct 
automorphism  groups;  when  regularity  is  small  compared  to  the  number  of  nodes,  then 
there  exist  more  distinct  automorphism  groups. 
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Our  conclusion  based  on  this  is  that  good  graph  selection  entails  the  generation  of  a 
regular  graph  with  a  small  automorphism  group.  This  task  does  not  seem  at  all  trivial  to 
us,  but  is  deemed  eritieal  for  sueeessful  development  of  this  problem  type  into  a 
sueeessful  zero  knowledge  protoeol. 


Application  of  Regular  Graphs  to  A:-round  GI  Protocol: 

One  often  employs  the  use  of  eonfidenee  level,  c,  to  measure  the  robustness  of  protoeols. 
Taking  into  aeeount  the  results  we  derived  in  the  previous  seetions,  a  useful  metrie  to 
measure  the  strength  of  the  GI  protoeol  is 

max  Pr[  eavesdropper  uneovers  cr after  (A:+i)th  round  ]  >  1  -  c; 

k 

that  is,  we  wish  to  maximize  the  value  of  k  sueh  that  the  probability  that  the  eavesdropper 
sueeeeds  in  uneovering  cr  with  1-c  probability  happens  just  after  k  rounds.  When 
c=99.99%,  this  means  that  we  want  to  find  the  maximal  value  of  k  sueh  that  for  all  j>k, 
the  probability  that  the  eavesdropper  finds  cr  at  the y'th  round  is  more  than  0.01%. 

Assuming  the  regular  graph  F  is  eonneeted,  then  we  have  the  follow  results: 

Case  1:  when  regularity  is  large,  n-r  «  0: 

Pr[  eavesdropper  uneovers  cr  after  the  Ath  round  ] 

=  1  -  (  1  -  (l/2)(  SfM!  )  f 
<  1  -  (  1  -  (l/2)(  n{F){r-\f-’'-^/n!  )  f 
«  1  -  (  1  -  (l/2)(n!/n!  )/ 

=  !-(%/ 

We  see  that  the  ehanee  of  an  eavesdropper  sueeeeding  after  just  one  round  beeomes  very 
high  (50%);  more  over,  at  this  point  the  ehanee  of  an  eavesdropper  sueeeeding  reduees  to 
a  series  of  eoinflips.  Furthermore,  for  the  protoeol  to  be  seeure  within  some  eonfidenee 
pereentage  c,  we  need  to  estimate  the  value  of  k  sueh  that  Pr[  eavesdropper  uneovers  cr 
after  the  Ath  round  ]  >  1  -  c.  For  the  ease  of  99.99%  eonfidenee,  we  maximize  the  value 
of  k  for 


1  -(l/2)^>  1/10000,  (4) 

and  find  that  k  <  0.00014.  In  other  words,  as  soon  as  the  protoeol  starts,  it  beeomes 
impossible  to  maintain  the  99.99%  eonfidenee  threshold;  by  experimenting  with  small 
values  of  k  we  ean  see  that  the  probability  of  an  eavesdropper’s  sueeess  inereases 
dramatieally  as  the  number  of  rounds  inereases: 
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Pr[  eavesdropper  uneovers  cr after  the  first  round  ]  <  0.5, 

Pr[  eavesdropper  uncovers  cr  after  the  second  round  ]  <  0.75, 

Pr[  eavesdropper  uncovers  cr  after  the  third  round  ]  <  0.875. 

Case  2;  when  regularity  r  is  small  compared  to  n: 

Pr[  eavesdropper  uncovers  cr  after  the  kth  round  ] 

=  1  -  (  1  -  (l/2)(  /n.O  / 

<  1  -  (  1  -  (l/2)(  n{r\){r-\f-’-^/n!  )  f 

in  this  case,  the  chance  of  an  eavesdropper  succeeding  after  k  rounds  depends  on  the 
number  of  nodes  in  F  and  its  regularity. 

Again,  we  calculate  the  value  of  k  for  which  the  protocol  achieves  some  level  of 
confidence;  let  c  =  99.99%,  then  we  want  to  maximize  the  value  of  k  such  that 

1  -  (  1  -  (l/2)(  )  f  >  1/10000  (5) 

letting  c  =  99.99%,  we  are  able  to  create  a  bound  on  k, 

k  <  log(  9999/10000  )  /  log(  1  -  (%)(  n(r!)(r-l)”-''-Vn!  )  );  (6) 


using  Stirling’s  Approximation  for  factorials,  and  choosing  small  values  of  r  such  that  r  > 
3,  we  generate  the  following  graph 
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Number  of  Nodes 


□  113-126 

□  100-113 

□  87-100 

■  74-87 

□  61-74 

■  48-61 

□  35-48 

□  22-35 

■  9-22 

□  -4-9 


Regularity 


Figure  3:  Maximum  number  of  rounds  to  maintain  99.99%  confidence 


Even  for  a  small  value  of  n,  the  bound  on  k  is  quite  good.  In  particular,  for  a  graph  with 
14  nodes  and  regularity  of  3,  the  number  of  rounds  needed  before  an  eavesdropper 
succeeds  with  more  than  0.01%  chance  is  207.  Furthermore,  the  graph  illustrates  that  in 
general,  as  long  as  the  value  of  r  is  limited  to  less  than  xfn  ,  then  the  value  of  k  will  also 
be  large  enough  for  use  in  the  GI  protocol. 

When  interpreting  these  results,  keep  in  mind  the  inversion  problem.  If  the  graph  can  be 
inverted  and  solved  more  easily,  then  the  confidence  should  be  based  on  the  difficulty  in 
solving  for  the  inverted  graph,  not  the  original.  This  problem  is  nullified  by  choosing  r  to 
be  n/2. 


3,1,4  Difficulty  in  generating  good  random  regular  graphs. 

In  the  above  analysis,  we  showed  that  when  a  connected  graph  is  of  small  regularity,  then 
its  security  characteristics  are  quite  good.  The  characteristics  of  small-regularity  graphs 
seem  to  be  well  understood  [25,  27].  There  also  exist  algorithms  that  generate  random 
regular  graphs  under  some  constraints  in  non-exponential  time  [25,  26,  36].  However, 
we  have  not  seen  any  universal  random  regular  graph  generation  algorithm  that  meets  all 
of  our  restrictions. 


18 


Further  complicating  the  issue  for  generating  good  random  regular  graphs  is  the  existence 
of  efficient  isomorphism  finding  programs,  such  as  Nauty  [28].  Nauty  leverages  any 
non-trivial  automorphisms.  It  has  been  shown  that  Nauty  is  able  to  find  isomorphisms 
for  most  graphs  with  less  than  100  vertices  in  less  than  one  second.  For  the  graph 
isomorphism  protocol  to  be  secure,  it  is  then  necessary  to  generate  random  regular  graphs 
with  a  large  number  of  vertices  while  pruning  the  candidate  graphs  with  large 
automorphism  groups.  This  is  a  time  consuming  task,  given  that  the  known  algorithms 
for  generating  random  regular  graphs  spend  most  of  their  time  in  generating  and 
eliminating  unqualified  graphs.  Although  the  theoretical  results  show  that  some  classes 
of  graphs  such  as  regular  graphs  may  be  good  candidates  for  the  GI  protocol,  there 
remains  the  obstacle  that  the  current  state  of  the  art  algorithms  for  random  graph 
generation  isn’t  efficient  enough  to  warrant  the  use  of  GI  as  a  basis  for  ZKP. 

3,2  Factoring  Requirements  and  Results 

The  implementation  we  chose  was  generic,  not  aimed  for  maximal  performance.  An 
identification  scheme  such  as  Guillou-Quisquater  would  be  more  efficient  given  that  our 
implementation  only  ensures  weak  anonymity.  Our  goal  was  to  show  how  the  GI 
approach  compared  against  other  generic  approaches,  and  more  optimized  approaches 
such  as  Guillou-Quisquater  would  have  been  an  unfair  comparison  given  the  early  state 
of  the  GI  approach. 


3.2,1  Requirements 


3.2, 1,1  Key  Generation  Requirements 

The  public  keys  are  n  and  a.  In  general,  large  primes  p  and  q  are  chosen  so  that  n  is 
difficult  to  factor  using  current  methods  [32].  We  assume  an  n  of  at  least  1024  bits.  Since 
a  =  x^(modn),  a  also  takes  up  at  least  1024  bits.  Thus,  at  least  2048  bits,  or  256  bytes, 
of  information  must  be  made  public  before  the  rounds  of  zero  knowledge  proofs  begin. 

As  for  private  key  storage,  since  x  <n,  then  we  assume  x  to  take  up  at  most  1024  bits. 

Since  there  are  a  constant  number  of  multiplications,  the  computation  overhead  is  0{  c  ). 


3.2, 1,2  Protocol  Initiation  Requirements 

The  values  of  r  andy  are  1024  bits,  since  they  are  both  taken  modulo  n.  Computing  r  is 
an  0(  c  )  operation. 
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3,2. 1,3  Answer  Generation  Requirements 


In  the  third  step,  z  =  r  or  z  =  xr(mod«)  is  sent  to  V,  so  at  most  1024  bits  are  sent  over  the 
eommunieation  lines. 


3.2. 1,4  Verification  Requirements 

No  explicit  storage  is  required  at  this  step,  and  the  computational  overhead  for  answer 
verification  is  constant. 


3.2, 1,5  Performance  Complexity 

The  security  of  this  protocol  relies  on  the  primes  chosen.  That  is,  assuming  1024  bits  is 
“safe  enough”  for  today,  then  a  total  of  1024*4  +  s  bits  are  sent  over  the  communication 
lines  over  one  round  of  zero-knowledge  proof  Clearly,  if  a  bigger  prime  is  picked,  say, 
of  size  5-bits,  then  the  communications  overhead  will  scale  linearly,  and  over  k  rounds,  is 
k{AB  +  s  ),  or  0{  B  ). 

The  computational  overhead  is  0(  c  ). 

3,2,2  Results 

The  curve  here  looks  polynomial,  as  opposed  to  the  0(c)  predicted  from  the  theoretical 
analysis  of  the  protocol.  This  may  be  attributed  by  the  computational  overhead  incurred 
by  the  physical  limitation  of  the  operational  system.  But  note  that  even  at  8192-bits  the 
entire  protocol  completes  in  7  milliseconds. 
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Size  or  Simulated  Integer,  in  Bits 


Figure  4:  Factoring  Protocol  Simulation 


Results  related  to  seeurity  are  presented  in  seetion  3.4  and  eompared  with  the  other  two 
teehniques. 

3,3  Discrete  Logarithm  Requirements  and  Results 

As  with  faetoring  the  implementation  we  ehose  was  generic,  not  aimed  for  maximal 
performance.  An  identification  scheme  such  as  Schnorr  would  be  more  efficient  given 
that  our  implementation  only  ensures  weak  anonymity.  The  goal  was  to  show  how  the  GI 
approach  compared  against  other  generic  approaches,  and  more  optimized  approaches 
such  as  Schnorr  would  have  been  an  unfair  comparison  given  the  early  state  of  the  GI 
approach. 
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3.3.1  Requirements 

3.3. 1.1  Key  generation  Requirements 

The  values  a,  fi,  and  N  are  generated;  N is  normally  chosen  to  be  a  large  prime,  typically 
1024  bits  and  above.  Thus  the  prover  will  publish  3*1024  bits  of  information. 

For  the  private  key,  x  has  at  least  ^(AO  possible  values,  where  (l){N)  is  the  number  of 
values  less  than  N  that  are  relatively  prime  to  N.  When  N  is  prime,  (l){N)  =  - 1 ,  so  we 

can  assume  that  x  is  about  1024  bits  also. 


3,3, 1,2  Protocol  Initiation  Requirements 

P  selects  r  randomly  from  Zj ,  so  r  is  represented  by  1024  bits.  Note  that  Zj  are  the 
non-zero  integers  less  than  N.  y  is  also  represented  by  1024  bits,  since  it  is  taken  modulo 
N.  So  1024  bits  is  the  communications  overhead. 

The  exponentiation  of  a'  takes  0{  log  r  )  steps. 


3,3, 1,3  Answer  Generation  Requirements 

Since  y  is  taken  modulo  ^zJ(A0,  it  is  represented  by  1024  bits. 


3,3, 1,4  Verification  Requirements 

The  exponentiation  takes  0{  logy  )  steps. 


3,3, 1,5  Performance  Complexity 

Like  the  Factorization  Protocol,  the  communications  overhead  of  the  Discrete  Logarithm 
protocol  depends  on  the  size  of  the  prime.  In  the  case  of  a  1024-bit  prime,  the  total 
communication  overhead  incurred  by  the  protocol  is  (5*1024  +  s)  bits.  Over  k  rounds, 
and  for  5-bit  primes,  the  total  communications  overhead  is  A:(  55  +  s)  bits,  or  0{  5  ). 

The  total  computation  overhead  in  this  protocol  is  0{  log  r  +  logy  )  =  0{  log  ry  ). 
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3,3,2  Results 


The  graph  shows  an  exponential  growth  in  the  running  time,  eontrary  to  the  expeeted 
logarithmie  behavior  from  the  theoretical  analysis  of  the  protocol.  However,  upon  closer 
inspection,  we  do  indeed  see  a  logarithmic  behavior  up  to  about  2048  bits.  This 
exponential  growth  after  2048-bits  may  be  contributed  by  the  fact  that  there  isn’t  enough 
physical  memory  available  for  exponentiation  of  2048-plus-bit  numbers  to  a  2048-plus- 
bit  number,  even  though  in  theory  exponentiation  takes  logarithmic  steps.  In  other 
words,  the  exponentiation  procedure  spends  most  of  the  time  swapping  memory  in  and 
out  of  the  hard  disk,  resulting  in  the  exponential  curve  that  is  shown  in  the  graph.  It  is 
also  worth  noting  that  even  with  the  exponential-like  curve,  the  actual  run  time  is  still 
quite  manageable;  from  the  graph  we  see  that  at  4096-bits  it  still  takes  less  than  half  a 
second  to  complete  the  entire  protocol. 


Discrete  Looarithm  Protocol  Simulation 


Smulated  Integer  Size,  in  Bits 


Figure  5:  Discrete  Logarithm  Protocol  Simulation 

Results  related  to  security  are  presented  in  section  3.4  and  compared  with  the  other  two 
techniques. 
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3,4  Discussion 


In  the  previous  seetions,  we  investigated  the  properties  of  three  different  applieations  of 
Zero-Knowledge  Protoeol;  Graph  Isomorphism,  Faetoring,  and  Diserete  Logarithm.  The 
performanee  eomplexities  of  the  protoeols  are  summarized  in  Table  1.  We  find  that  over 
k  rounds,  the  Graph  Isomorphism  protoeol  has  a  smaller  eommunieation  overhead  (sinee 
relatively  small  graphs  may  be  used)  than  Faetoring  and  Diserete  Logarithm.  The  GI 
may  take  signifieantly  longer  to  generate  good  eandidate  graphs  before  the  protoeol  ean 
begin,  however,  beeause  the  effieient  generation  of  random  graphs  with  partieular 
eharaeteristies  (sueh  as  regularity)  is  still  an  open  researeh  area  [38].  On  the  other  hand, 
generating  large  primes  is  a  relatively  fast  proeess  that  takes  polynomial  time  to  eomplete 
[37]. 


Table  1:  Summary  of  Performance  Complexities 


Faetoring 

Protoeol 

Diserete  Logarithm 

Protoeol 

GI  Protoeol 

Variable 

Definitions 

B:  size  of 
modulus,  in 
bits 

c:  eonstant 

B:  size  of  prime,  in  bits 

r:  size  of  integer,  in  bits 

y:  size  of  integer,  in  bits 

r.  regularity  of  graph 

n:  number  of  nodes  in 
graph 

Sg:  \Aut(G)\ 

Sf:  \Aut(F)\ 

Communieation 

Overhead 

0(8) 

0(B) 

0(  rn  ) 

Computation 

Overhead 

Oic) 

0(  log  ry  ) 

0(n)+0(l/SG)+0(l/SF) 

The  eomputation  overhead  for  Faetoring  and  Diserete  Logarithm  protoeols  also  fare 
better  than  GI.  From  our  analyses,  we  see  that  the  Faetoring  and  Diserete  Logarithm 
protoeols  require  eonstant  and  logarithmie  overhead,  respeetively,  while  GI  requires  at 
least  polynomial  eomputation  overhead.  Thus,  given  limited  eomputing  resourees,  the 
Faetoring  and  Diserete  Logarithm  protoeols  seale  far  better  than  GI  in  terms  of 
performanee,  and  are  better  ehoiees  for  the  implementation  of  ZKP. 


24 


We  also  investigated  the  seeurity  properties  of  these  protoeols;  the  results  are 
summarized  in  Table  2.  The  seeurity  properties  of  Faetoring  and  Diserete  Logarithm 
protoeols  are  stronger  than  that  of  the  GI  protoeol.  Speeifieally,  at  the  99.99% 
eonfidenee  level,  we  see  that  the  seeurity  of  the  GI  protoeol  depends  on  the 
automorphism  group  of  the  eandidate  graph;  when  a  “good”  eandidate  graph  is  given,  i.e. 
a  graph  with  a  small  automorphism  group,  the  GI  protoeol  may  be  able  to  withstand  the 
presenee  of  an  eavesdropper.  However,  given  a  “bad”  eandidate  graph,  the  GI  graph  may 
fail  to  meet  the  99.99%  eonfidenee  threshold  from  the  get-go.  We  also  studied  the 
applieation  of  regular  graphs  in  ZKP,  and  found  that  the  GI  protoeol  is  more  seeure  when 
the  graph  has  lower  regularity.  For  example,  when  a  regular  graph  of  14  nodes  and 
regularity  of  3  is  used,  the  protoeol  is  able  to  tolerate  the  presenee  of  an  eavesdropper  for 
about  207  rounds. 
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Table  2:  Summary  of  Security  Analysis. 


Faetoring  Protoeol 

Diserete  Logarithm 
Protoeol 

GI  Protoeol 

Variable  Definitions 

N\  128-bit  integer 

(l){N) :  Euler  Phi 
funetion 

N:  128-bit  prime 

^(N) :  Euler  Phi 
funetion 

F:  random  graph 
with  2^^^  nodes 

Sp:  automorphism 
group  of  F,  and  we 
assume  a  relatively 
small  automorphism 
group  size,  sueh  that 
Sp/n!^  10-^° 

7 -Round  Seeurity 

1/^(A0 

1/^(A0 

(l/2)(  Sp/n! ) 

k-Round  Seeurity 

k/(piN) 

k/(p{N) 

{\-{\/2){Sp/n!)f- 
‘  •  (l/2)(  Sp/n!) 

Max  Number  of 
Rounds  Required  to 
Maintain  99.99% 
Confidenee  Level 

IP 

lo’’ 

2*10’ 

On  the  other  hand,  the  seeurity  of  Faetoring  and  Diserete  Logarithm  protoeols  rely 
entirely  on  the  size  of  (l){N),  where  N  is  the  eomposite  in  the  Faetoring  protoeol  and  the 
prime  in  the  Diserete  Logarithm  protoeol.  For  either  protoeol,  for  example,  if  N  is  1024 
bits,  then  (jiN)  must  also  be  roughly  1024  bits.  Furthermore,  sinee  the  protoeols  do  not 
reveal  extra  information  after  the  primes  are  ehosen,  an  eavesdropper  must  resort  to  brute 
foree  guessing  of  the  prover’s  seeret.  The  probability  for  the  eavesdropper’s  sueeess  at 
one  round  is  l/^zi(A0,  an  astonishingly  low  probability  even  when  (l){N)  is  roughly  128- 
bits.  If  the  eavesdropper  attempts  to  exhaustively  seareh  through  all  possible  numbers  by 
guessing  one  number  eaeh  round,  then  at  the  99.99%  protoeol  eonfidenee,  the  number  of 
rounds  k  required  for  the  eavesdropper  to  sueeeed  with  more  than  0.01%  probability  must 
satisfy 


A:/^^(A0>  0.0001.  (7) 

When  (l){N)  is  128-bits,  k  is  roughly  10  ;  the  eavesdropper  will  not  have  any  luek  by 
guessing  the  prover’s  seeret  from  the  Faetoring  and  the  Diserete  Logarithm  protoeols. 
This  is  signifieant  beeause  the  prover  typieally  exehanges  zero-knowledge  proofs  with 
the  verifier  over  a  number  of  rounds,  e.g.  20,  that  is  mueh  smaller  than  10  .  Thus,  for 
most  ZKP  exehanges,  the  Faetoring  and  Diserete  Logarithm  protoeols  maintain  the 
99.99%  eonfidenee  threshold. 
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In  the  general  protocol,  the  probability  that  a  malicious  user  successfully  poses  as  a 
legitimate  user  is  (1/2)^,  where  k  is  again  the  number  of  rounds.  We  are  interested  in  how 
many  rounds  it  takes  for  the  generic  ZKP  so  that  a  cheater  has  less  than  0.01%  chance  of 
passing  all  k  rounds.  This  is  found  by  solving  for  k  in 

(1/2/ <0.0001,  (8) 

and  that  that  k~  13.28.  Therefore  it  takes  at  least  14  rounds  for  a  cheater  to  have  less 
than  0.01%  chance  of  succeeding.  Given  this  information,  we  calculate  the  number  of 
bits  exchanged  for  each  protocol  in  14  rounds: 

Table  3:  Number  of  bits  exchanged. 


Factoring  Protocol 
(128-bit  prime  used) 

Discrete  Logarithm 
Protocol 

(128-bit  composite 
used) 

GI  Protocol 
(Graph  with  128-bit 
nodes  used) 

Number  of  Bits 
exchanged  in  14 
rounds 

14*4*128=7168  bits 

14*5*128*14=8960 

bits 

Regular  graph  with 
r=n/2  edges  =  64 
bits 

64*128  =  8192  bits 

As  we  can  see,  when  a  sparse  graph  is  used  in  the  GI  protocol,  the  bits  exchanged  is 
competitive  with  the  other  two  protocols. 
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4.  Discussion  and  Future  Work 


In  this  paper  we  touehed  on  the  issues  of  identifieation  and  anonymity  in  zkp  protoeols. 

In  an  identifieation  seheme,  eaeh  person  earries  a  seeret  key  S  that  is  known  only  to  that 
person;  assoeiated  with  eaeh  S'  is  a  publie  key  P  that  is  derived  from  S  using  a 
oryptographieally-strong  funetion,  and  the  user  authentieates  himself  to  a  server  who 
holds  the  eorresponding  publie  key  P.  In  a  ZKP  seheme,  eaeh  user  proves  his  identity  to 
the  server  by  answering  questions  about  his  seeret  key;  the  server  verifies  the  answers  by 
eomputing  values  based  on  P  and  other  publiely  available  information.  Note  that  in  the 
ZKP  seheme,  the  seeret  key  S  is  never  transmitted  or  revealed  to  the  verifier.  However, 
upon  sueeessful  authentieation  of  the  user,  1  bit  of  information  is  revealed,  namely,  that 
partieular  person  is  a  legitimate  user  to  the  system.  While  the  protoeol  itself  may  not 
reveal  additional  information  about  the  seeret  key  (thus  preventing  any  impersonation 
attaeks),  the  identifieation  of  the  user  may  lead  to  other  aetions  by  the  eavesdroppers, 
sueh  as  physieally  following  the  user,  whieh  may  endanger  the  sueeess  of  missions. 

An  authentieation  seheme  that  maintains  anonymity  is  desired  over  identifieation 
sehemes.  Two  types  of  anonymity  exist:  weak  anonymity  and  strong  anonymity.  Weak 
anonymity  is  essentially  defined  as  hiding  in  masses.  That  is,  assuming  all  legitimate 
users  are  given  the  same  usernames  and  passwords  it  would  be  hard  for  the  server  and  the 
observers  to  identify  any  partieular  user  in  that  group.  Thus,  any  legitimate  user  remains 
anonymous  among  its  peer  group  of  legitimate  users.  It  is  obvious  that  this  protoeol 
beeomes  harder  to  maintain  its  seeurity  as  the  user  base  expands.  For  example,  if  an 
individual’s  username  and  password  are  eompromised,  then  the  entire  system  is 
eompromised.  In  this  ease,  sinee  the  eompromised  user  ean’t  be  revoked,  there  is  no  way 
to  reeover  from  this  eatastrophe.  Therefore,  any  protoeol  with  weak  anonymity  is  elearly 
not  sealable  from  a  seeurity  maintainability  perspeetive. 

An  authentieation  seheme  guarantees  strong  anonymity  when  eaeh  user  in  the  system  is 
given  a  unique  identifieation,  yet  is  indistinguishable  to  an  observer  and  the  server.  Very 
few  ZKP  algorithms  eurrently  in  use  support  this,  whieh  partially  explains  why  they  are 
not  in  more  wide-spread  use.  An  interesting  example  of  a  protoeol  that  has  strong 
anonymity  is  deseribed  in  [39].  The  algorithm  presented  in  this  paper,  however,  is  fairly 
ineffieient  eompared  to  aggressively  optimized  identifieation  sehemes  that  are  more 
eommonly  used  in  today’s  arehiteetures.  A  good  area  of  future  work  would  be  to  explore 
methods  for  supporting  eharaeteristies  sueh  as  strong  anonymity  and  revoeation,  while 
still  maintaining  the  effieient  bandwidth  eharaeteristies  of  advaneed  identifieation 
protoeols. 
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5.  Conclusions 


In  this  report,  we  investigated  the  use  of  the  Zero  Knowledge  Protoeol  (ZKP)  to 
authentieate  and  seeure  oommunieation  in  a  manner  eompatible  with  the  requirements  of 
an  airborne  network.  We  examined  Faetoring,  Diserete  Logarithm,  and  Graph 
Isomorphism  protoeols  in  detail.  Theoretieal  analyses  were  eondueted  to  study  the 
applieability  of  these  protoeols;  additionally,  the  simulations  of  the  Faetoring  and 
Diserete  Logarithm  protoeols  were  run  to  study  the  sealability  performanee  of  these 
protoeols.  We  found  that  while  the  simulation  results  of  Faetoring  and  Diserete 
Logarithms  did  not  mateh  the  theoretieal  results  due  to  limitations  of  eomputing 
hardware,  the  protoeols  still  finished  in  the  ranges  of  milliseeonds  with  the  use  of 
thousand-bit  primes.  Our  eonelusion  based  on  these  preliminary  results  is  even  without 
an  optimized  implementation  Faetoring  and  Diserete  Logarithms  protoeols  appear  quite 
promising  for  applieation  in  the  airborne  networking  domain. 

We  also  derived  theoretieal  results  for  the  Graph  Isomorphism  protoeol.  Our  analysis 
indieates  that  random  graph  seleetion  is  insuffieient,  but  that  a  regular  eonneeted  graph 
with  a  small  automorphism  group  may  hold  the  properties  neeessary  to  provide  the 
desirable  seeurity  properties.  There  are  several  drawbaeks  to  this  approaeh,  however. 
First,  generation  of  graphs  with  these  properties  is  non-trivial.  The  eurrent  state  of  the  art 
algorithms  for  regular  graph  generation  is  limited,  and  runs  in  polynomial  time  only  for 
eertain  elasses  of  regular  graphs.  To  further  eomplieate  the  problem,  there  are  fast 
isomorphism  deteetion  programs  sueh  as  Nauty  that  foree  the  GI  protoeol  to  use  regular 
graphs  with  large  numbers  of  nodes  for  better  protoeol  seeurity.  The  effieient  generation 
of  regular  graphs  with  large  number  of  nodes  and  moderate  regularity  poses  a  signifieant 
ehallenge  in  and  of  itself.  Therefore  the  GI  protoeol  may  not  be  feasible  for  real-world 
deployment  due  to  the  algorithmie  ehallenges  in  generation  of  good  eandidate  graphs. 

A  seeond  drawbaek  is  that  there  is  no  evidenee  that  the  question-answer  exehange  eannot 
be  eaptured,  analyzed,  and  used  to  signifieantly  improve  the  guessing  proeess  of  a 
malieious  user.  This  property  is  well  established  in  the  literature  for  Faetoring  and 
Diserete  Logarithms,  but  until  it  ean  be  shown  for  Graph  Isomorphism  we  would  be 
extremely  hesitant  to  base  a  seeurity  protoeol  around  it. 

The  Faetoring  and  Diserete  Logarithm  protoeols  perform  exeeptionally  well  in  terms  of 
seeurity  and  overhead  requirements.  These  protoeols  are  effieient  in  their  eomputation 
overhead;  the  Diserete  Logarithm  protoeol  requires  just  a  logarithm  inerease  in 
eomputing  overhead  as  the  size  of  the  prime  inereases;  the  Faetoring  protoeol  is  even 
more  effieient  in  that  a  eonstant  amount  of  overhead  is  used  no  matter  what  size  prime  is 
used. 
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Our  overall  conclusion  is  that  there  is  some  indication  that  it  may  be  possible  that  Graph 
Isomorphism  could  be  made  into  an  efficient  algorithm.  The  number  of  bits  sent  per 
degree  of  security  granted  shows  promise.  There  is  quite  a  bit  of  work  that  would  be 
necessary,  however,  to  make  this  approach  viable.  First,  new  techniques  in  graph 
generation  must  be  developed.  Second,  challenge-response  exchanges  must  be  developed 
that  can  be  proven  to  be  resistant  to  analysis  of  previously  captured  exchanges.  If  these 
feats  are  both  accomplished  (a  non-trivial  accomplishment)  then  a  Graph  Isomorphism 
based  zero  knowledge  protocol  may  be  competitive  with,  but  not  clearly  superior  to, 
more  established  techniques  such  as  Factoring  or  Discrete  Logarithm  protocols.  Even 
then,  we  believe  there  is  more  risk  of  future  scientists  discovering  new  heuristic 
mechanisms  to  compromise  security  characteristics  than  in  the  more  established  ZKP 
algorithms.  This  conclusion  is  based  on  the  fact  that  Factoring  and  Discrete  Logarithm 
problems  have  been  heavily  scrutinized  by  large  numbers  of  scientists  for  hundreds  of 
years  and  thus  the  difficulty  of  discovering  heuristics  that  improve  average  case  analysis 
is  better  established  than  the  subset  of  Graph  Isomorphic  graphs  we  are  considering. 

Based  on  these  findings,  we  consider  Factoring  and  Discrete  logarithm  based  zero- 
knowledge  protocols  to  be  the  most  promising  of  the  algorithms  investigated  for  potential 
application  to  airborne  networking  security  protocols.  We  have  implemented  versions  of 
both  of  these  algorithms,  and  our  preliminary  results  regarding  speed  and  overhead 
reinforce  these  conclusions.  We  believe  future  work  into  the  area  expanding  these 
approaches  to  efficiently  support  strong  anonymity  would  be  a  valuable  next  step. 
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CA:  Certificate  Authority 
CLE:  Constained  Linear  Equations 
CVP:  Closest  Vector  Problem 
DAA;  Direct  Anonymous  Attestation 
EAAN:  First  Time  Authentication  for  Airborne  Networks 
GI:  Graph  Isomorphism 
ID:  Identification 
MANET:  Mobile  Adhoc  Network 
:  Euler  Phi  function 
PKP:  Permuted  Kernels  Problem 
PP:  Perceptron  Problem 
PPP:  Permuted  Perceptron  Problem 
SD:  Syndrome  Decoding 
SVP:  Shortest  Vector  Problem 
TCG:  Trusted  Computing  Group 
TPM:  Trusted  Platform  Module 
ZKP:  Zero  Knowledge  Protocol 
:  non-zero  integers  modulo  N 
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